Friday, February 3, 2017

The Malware (R)evolution by Cristina Ion

The Malware (R)evolution

I’ve been given permission by the original author of this post to include it on my blog. I think it’s always a good idea to increase our vocabulary when we learn about new topics. Cybersecurity is still a new area of interest for many people, so hopefully, you will benefit from Cristina’s blog post. Oh, did I mention that Christina is from France? Cybersecurity is a global issue and it is not going away anytime soon. I always say, “Cybersecurity is not an App!” and in France, they might say “La cybers√©curit√© n'est pas une application!”.

Posted on 7 September 2016 by Cristina Ion in Blog No Comments

Decades after the invention of the Internet, humankind has come to accept evolution as an unavoidable happening. As minds evolve, so does technology. While we’re talking about it, cybersecurity is pretty much obliged to maintain itself at the very forefront of this phenomenon to keep up the pace with the mutations arising from the cyber-criminal world. Computer viruses have grown in complexity over the past few decades and are continually changed by their developers to become more resilient and sophisticated. And with this unwavering malware evolution, terminology was bound to catch up. Or at least try to do so.

Only last year, the total number of active malware detected went up to 230,000 unique samples /day (according to Panda Security), with an increase of 43% compared to the same period in 2014. Obviously, cyber-experts didn’t come up with new names for all of them. Instead, they’ve gathered all malicious software under one single umbrella term – malware, with a handful of sub-terms ranging from your average virus to the infamous ransomware. As such, whereas malware typology is not all that rich, some of these sub-terms may explain how malware is distributed or installed, while some focus only on the actions it performs.

Press articles often try to simplify reading and, as a result, don’t always go that much into detail when illustrating a new cyber-attack to the broad public. That being said, we thought it might be helpful to write a post on this exact topic and demystify malware typology. Because, whereas we might not all be cybersecurity prodigies, understanding more about the threats on our machines can help us better protect ourselves. Without further ado, we give to you our very own Malware Dictionary.

A is for Adware

This is perhaps one of the mildest of all malicious threats we encounter on the Internet. Adware is a malware that, as the name would have it, pollutes users with unrequested advertising. Over the course of our digital lives, we’ve all stumbled upon the notorious pop-up window that just refuses to close. Whereas this is its most common form, adware can also be distributed along with free software and browser toolbars. While it may sometimes be used with the aim of collecting user data to push targeted advertising campaigns, this type of malware can also contain or be classified as spyware (see below I is for ISM).

B is for Backdoor

The term ‘backdoor’ is pretty much self-explanatory. It refers to a state of established access within an information system, all the while staying under the radar. A backdoor enables hackers to remotely connect to the victim’s computer and take over control. Although the line between a backdoor and a network vulnerability can be quite fine, the two should not be confused – a backdoor is created (remember the FBiOS?), while a vulnerability has always been there (thanks for sharing, NSA). This particular threat category provides a network connection for hackers to take advantage of in many and various ways.

B is also for Botnet

As we’ve already covered in a previous article, several connected bots form a botnet; a network made entirely out of remote controlled zombie computers, all coordinated by a C&C Zombie-Master server. While this army of undead machines can be used to send out spam, it can also be deployed to take down entire servers, by flooding them, among others, with a huge amount of simultaneous connections (your typical DDoS attack).

C is for Cryptolocker

Given the hype created around cryptolocker this year, we might think a definition isn’t necessary. But, for the sake of it, here goes. First of all, one has to know that this type of malware is a subcategory of the ransomware family, the blanket term for all malware which may prevent a user from accessing his/her computer or files. Taking its name from the first of its kind, cryptolockers nowadays follow the exact same pattern as the original one, starting with the encryption of the files taken hostage. And, unfortunately, we all know how the rest of story goes: in exchange for regaining access to one’s beloved data, one does not just simply ignore the ransom.

D is for Downloader

A downloader malware is a malicious programme used to download other malicious pieces of code on the infected workstation. In theory, this doesn’t sound that bad: a bunch of software just waiting around to strike when the moment’s right. If you’ve read our previous article which talks about the core modules of Project Sauron, then you probably know that this stepping-stone is, in fact, a killing one.

H is for Hijacker

Browser hijackers are made of malicious code developed specifically to take control of your browser settings. It is distributed much the same way as adware – after installing free software or browser toolbars. The result? You may notice that your homepage or your standard search provider was switched, for example. What you may not notice right away is that some hijackers can also mess around with your browser’s proxy settings. Online safety compromised.

I is for ISM…

…or Information Stealing Malware. Just another fancy name for spyware, this category describes all malware developed to unlawfully recover sensitive user data (such as your banking details and other personal information). It accounts for no more and no less that 5% of the malware surge. But since stealing for the fun of it is not that profitable, this data then ends up for sale on the Dark Web (see Operation Ghoul and the HawkEye malware).

K is for Keyloggers

One of the interesting traits of the HawkEye malware is its ability to trace a user’s keystrokes. This alone was reason enough for us to create a separate category for this refined type of spyware – the keylogger. Able to retrieve everything you might type using your keyboard, from passwords to personal conversations, keylogger is a fairly powerful malicious software. When there’s no need to crack password hashes, we should think so.

L is for Launcher

A launcher goes hand in hand with a downloader malware. While the downloader recovers the malicious piece of code, the launcher software uses advanced stealthy methods to launch it on the target machine. What a pair, right?

P is for Phishing

You all know by now that traditional phishing attacks usually consist in sending spam emails to a broad public. What you might have failed to take notice of is that there are types of malware out there that can be used to infect a machine, enroll it into their bot network, with precise instructions to send out malicious emails (see B is also for Botnet). This type of malicious software is usually a part of a botnet under the control of a C&C server; one programmed to function as a distributed spam-sending network. This phishing malware then fools its victims by posing as trustworthy sources using the newly spoofed email addresses.

R is for Rootkit

A rootkit is a very dangerous type of software that allows its owner to gain root privileges on the targeted machine. It is then capable of – among other things – concealing its presence entirely.
As such, a rootkit is almost impossible to detect, as it digs deep into the lower levels of your machine, next to the kernel.

S is for Scareware

Scareware is a malware that preys on people’s weaknesses, blackmailing users with content it might find on the targeted machines. As opposed to being afraid of losing their data (see C is for Cryptolocker), the victims of a scareware attack fear their data will be exposed by the hackers. The added ‘bonus’ here? A scareware will employ tactics which strongly embarrass the victim and prevent him/her from escalating the issue to a system administrator.

T is for Trojan (horse)

A Trojan horse is a type of malware that would probably win an Oscar for its performance (if you’re even the slightest into Greek mythology, then you’ve probably already got the hint). It’s also the most widely spread cyber-threat (71% of all IT security incidents are Trojans). It is software disguised to be something you might need to install/launch on your machine. A Trojan presents itself as an ordinary application or so it would seem since it also contains a malicious payload. Once launched, this particular cyber-threat is used to… oh well, it’s all depends on the hacker’s imagination. It can steal your information, establish a backdoor, escalate privileges, launch other types of malware and even turn your machine into a zombie bot.

V is for Virus

Viruses account for over 10% of the entire cyber-threat landscape. A virus is a malicious software capable of spreading from one computer to another by associating itself with existing programs, script files or documents. It then replicates itself when the vector in use is launched by the user’s actions. The end goal? Let’s just say it takes after the Trojan horse in this department.

W is for Worm

A worm’s modus operandi is very much alike to that of a computer virus. The main difference here is that, on top of stealing data or turning your computer into a member of the botnet sect, worms will also attempt to ‘eat’ the information on the host machine. Although classified into the viral family, a worm can do increasingly more damage as it does not rely on human interaction to self-replicate.

So our dictionary might be missing a few letters. New ones will probably be added in the years to come because, guess what, the malware revolution is not over. With attacks increasing in sophistication, we urge enterprises everywhere to stay alert and reinforce their systems and security solutions. Businesses need to be able to speak cybersecurity fluently, so they don’t fail this critical spelling bee.

Tuesday, December 6, 2016

Things you don't want others to see.

I don't have any pictures on my phone I wouldn't want my mother to see, let alone someone else. However, if you use your phone to take intimate photos of your significant other you may want to think twice about who you hand your phone to. In fact, I'll go one step further, you probably should make sure you have encryption and two-factor authentication setup on your phone.

A Texas couple found out the hard way what can happen when you hand your phone over to someone you don't know. They were buying a new car and had their financing documents saved on their phone. So when it came time to process the deal they handed the phone over to their salesman who then took the phone to finalize the paperwork. Without the couple's knowledge, the salesman went through the pictures on their phone and downloaded an intimate picture that the husband had recently taken of his wife and then uploaded it to a couple's swinging site.

Couple Sues Toyota Dealership for Stealing Intimate Photo off Smartphone

Never never never hand your phone over to someone you don't know and allow them to take it into a room or keep it where you cannot see it. Even if you don't have any pictures on your phone that you don't want someone to see you may have applications that are already enabled and are constantly logged in that would allow them to access information about you and your contacts. In fact in just a shoot a few short minutes someone who knows what they’re doing and is intent on trying to steal information from you and get in and get all the information they need to know or can install a spyware application which will then allow them to keep track of everything you do. Don’t know every phone call you make, who you called, every text you send and receive, every Internet site that you log into, and if you use your phone for banking will have that information too.

You always want to make sure that you have taken steps to protect yourself from data theft before you hand your phone over to someone unless you are going to be present while they have your phone. Alternatively, if you need to hand your phone over to someone for repairs or something along that vein, then you might consider doing a factory reset on your phone.

Tuesday, November 29, 2016

Beware of Phishing Attempts During the Holidays

During this holiday season, you really need to keep an eye out for phishing attempts and spam. Here is a screen shot of one that made it into my inbox. Of course I didn't add any funds to my PayPal account...in fact, I have two-factor authentication set-up on my PayPal account to help ensure my account is as protected as it can be short of not having a PayPal account.

The takeaway for everyone: (1) learn to recognize both phishing and SPAM; (2) don't click on it and definitely mark it as SPAM; (3) No one is going to deposit money into your PayPal account unless you sell something or someone sends you a gift which is always possible but you need to check it out. (4) Don't click on the "LOGIN NOW" or any other link. If it's legitimate your money will be there when you type in the link for PayPal or any other site for that matter and log in the old fashion way. (5) For added protection, you should consider using either Authentic8's SILO browser, Light Point Web's plugin or use a live CD/DVD of your favorite Linux distro when you investigating suspicious email.

Rock on, peace out, blessings, and best wishes to all!

Actual Screen Capture

Saturday, October 15, 2016

Book Reviews of Cybersecurity for Everyone

I try to make sure that I thank everyone who takes the time to review my book and provide feedback to help others make a decision to either buy or not buy my book. In this post I just want to provide links to all the reviews that I know of for my book. This will allow you to see what others have written and decide for yourself if it's something you think that will be beneficial to you. If you have read my book and you have not written a review I would love to hear from you so that I can take your feedback and consider it when I publish any future additions.

Russell Madison book review of Cybersecurity for Everyone.

Dan Lohrman book review of Cybersecurity for Everyone.

Stephen Northcutt book review of Cybersecurity for Everyone.

And of course you can also read the reviews written on Amazon.com

Tuesday, October 4, 2016

#NCSAM 2016 Year Thirteen!

I want to encourage everyone to check out the resources provided by the National Cyber Security Alliance (NCSA) on the Stay Safe Online website. This is the thirteenth year we've observed the National Cyber Security Awareness Month (NCSAM). There will be a lot going all month and there are events you can even participate in online to be a part of the conversation.

I had the opportunity to speak for a few minutes about the NCSAM and Cybersecurity in general on the Good Day CENLA program here in Central Louisiana on KALB TV-5.

Youtube Video: National Cyber Security Awareness Month Kickoff

WEEK 1: OCTOBER 3-7  STOP.THINK.CONNECT.™: The Basic Steps to Online Safety and Security Staying safer and more secure online starts with STOP. THINK. CONNECT. – simple, actionable advice anyone can follow. STOP: make sure security measures are in place. THINK: about the consequences of your actions and behaviors online. CONNECT: and enjoy the Internet. Week 1 shares user-friendly ways we can protect ourselves and our communities, along with actions to take if impacted by a breach, cybercrime or other online issue.

WEEK 2: OCTOBER 10-14  From the Break Room to the Boardroom: Creating a Culture of Cybersecurity in the Workplace Week 2 will focus on creating a culture of cybersecurity in the workplace through efforts like employee education, training and awareness, and by emphasizing risk management, resistance and resilience. Promoting an educated workforce and following best practices – with an emphasis on skill- and career-building for existing personnel and potential new entrants into the cybersecurity workforce – will also be highlighted.

WEEK 3: OCTOBER 17-21 Recognizing and Combating Cybercrime While online crime is often associated with hackers stealing personal information for monetary gain, crime on the internet takes many forms. Week 3 will focus on awareness of the different types of online crime, offer steps people can take to better protect themselves, and address how law enforcement and others can collaborate to combat cybercrime. In addition, careers in fighting cybercrime will be spotlighted.

WEEK 4: OCTOBER 24-28   Our Continuously Connected Lives: What’s Your “Apptitude”? We are quickly advancing into a world where there is an app for everything. These rapid technological advances, like the Internet of Things, can yield tremendous benefits and cybersecurity is fundamental to realizing their promise. As smart cities, connected healthcare devices, digitized records and smart cars and homes fast become our new reality, creating these cutting-edge technologies in a safe and secure way – along with building a workforce to maintain the infrastructure of our connected world – is essential. Week 4 will examine our future in this connected world and provide strategies for security, safety and privacy.

WEEK 5: OCTOBER 31   Building Resilience in Critical Systems The internet underlies nearly every aspect of our daily lives and helps form our critical infrastructure, which keeps crucial systems like electricity, transportation and communications up and running. October 31 will emphasize the importance of critical infrastructure and highlight the role the public can play in keeping it secure. On this last day of October, the transition to Critical Infrastructure Security and Resilience Month in November begins.

Saturday, September 17, 2016

Consumer Wireless Router Security Best Practice Videos

I recently published reviews of two different Linksys routers and today I completed a video review/screen-cast where I setup one of the routers using best security practices. While the videos and the articles are focused on two different Linksys routers the principles I discuss and demonstrate can be applied to just about any consumer router on the market. Here are the links to the original articles and the videos. I hope you find them useful.


http://cybersecurityevangelist.blogspot.com/2016/09/linksys-wrt1900acs-dual-band-gigabit-wi.html
http://cybersecurityevangelist.blogspot.com/2016/08/linksys-ac1200-dual-band-smart-wi-fi.html
Consumer Wireless Router Security Best Practices Part 1
Consumer Wireless Router Security Best Practices Part 2


Sunday, September 4, 2016

Linksys WRT1900ACS Dual Band Gigabit Wi-Fi Router

I recently completed a review of the Linksys AC1200 (EA6100) consumer router that is an inexpensive consumer router with surprisingly good performance although it’s a bit lacking on the security side of the house. For this review I’m digging into the WRT1900ACS Dual Band Gigabit Wi-Fi router to see what’s under the hood. I can say thus far I’m pretty impressed and plan on a second review after I upgrade to the DD-WRT open source firmware. I want to remind everyone this is a great time to start thinking about cybersecurity because the National Cyber Security Awareness Month is just around the corner. October is the month set aside in the United States each year. 2016 marks the 13th year of National Cyber Security Awareness Month (NCSAM). Check out the Official website for the #NCSAM at https://staysafeonline.org/ncsam/about/ and see what the focus is for 2016.

I want to clarify up front this is not a review on the overall performance of the router although I can also say up front I like what I’ve seen so far. At $199.00 this router is a bit more expensive than the EA6100 I’ve already reviewed although I can see right away the firmware is very similar with a few more features. It has a lot of modern features and the user interface/dashboard is easy to navigate and understand. I only have 10 devices on my network when you don’t count the router (2 desktops, 2 laptops, 4 Android devices, and 2 PS4’s). The majority of my bandwidth usage comes from video streaming and games. We have not had any problems streaming to multiple devices over the network but like I said there are not a lot of devices. Our current Internet plan provides 200 Mbps with unlimited data for reference.

According to the packaging, Linksys says this router was “Engineered for Intuitive Use and Ultimate Performance”. It is certainly a beefy looking router and it’s got 4 high-performance antennas designed for dual-band communications (2.4 GHz & 5.0 GHz) and they are adjustable so you can position them for use in a single or multi-story building. You can also remove them to accommodate antenna upgrades. Linksys sells a 4 pack of high-gain antennas that appear to be a little longer than the antennas that come with the router. I submitted a request to the Linksys support website asking for the specs on the OEM antennas since I could not find any documentation. The specs for the upgrade antennas are available on the Linksys website.[i] There are no current listed vulnerabilities in the CVEDetails.com website which is good since this is a brand new version of their original WRT1900AC wireless router. I did not need to update the firmware as my router came with the latest hardware (V2) & firmware 2.0.0.173388. Since there are not firmware updates I cannot review it’s update feature until I load DD-WRT or OpenWRT which are both open source router firmware.

Smart Wi-Fi Tools


Network Map

The network map may not be something you would consider initially as being related to security because it is not under the heading of “security”. It’s a great feature because it gives you a quick visual picture of the devices on your network and allows you to query the devices to get their current IP and MAC address. Another feature under the network map is the ability to change the icon and hostname of the displayed devices. Linksys has provided 69 different icons to represent many of the devices you may find in a smart home or small office environment. I found it interesting they provide about 20 icons to use with the different Linksys devices which also use the same GUI but it’s still pretty impressive. The ability to change the hostname is also an excellent feature because the default names for some of the devices are not very intuitive. This really is a great tool and it can be used to help map your network to know what you’ve actually got running/accessing your network and the Internet. The GUI also allows you to highlight individual fields such as IP address, MAC, and hostname with your mouse so you can use the copy/paste command making it easy to setup other features such as MAC filtering or DHCP reservations for each device on your network.

There is also another cool feature with this version of the firmware that allows you to see the bandwidth or Internet usage for each individual device dynamically at the same time. I was streaming music on my PS4 over iHeart Radio and it was averaging about 6.25 Mbps. I’m sure it would be a bit higher if I were streaming video. At the time I was experimenting with the bandwidth usage no one else seemed to be doing anything so their bandwidth usage was nil. I decided to start streaming audio from Amazon Prime as well to see if it registered and it did. Interestingly the PS4 bandwidth continued dropping until it was around 1.32 Mbps and the others were registering less than 1 Mbps. This can really come in handy if you were going to try and balance the maximum bandwidth for individual devices but with only 10 devices total on my network and 200 Mbps download speed I don’t think I’ll need to experiment with media prioritization.

There are also three other options on the “my network map” tab that allows you to manually add devices that are not currently showing on your network map, clear your network map and refresh your network map.


Guest Access

From a security standpoint, this is one of those cases where you’ve got to weigh your pros and cons. Being able to enable a guest account is a positive thing because it allows you to keep potential prying eyes from having access to your internal network while granting them the privilege of using your Internet access. The security professional in me wants to scream at the top of my voice at Linksys for not including the option of providing encrypted Wi-Fi (WPA2) for your guests. They did provide the option of creating a password to access the guest network but it does not use https so the password is passed in the clear when the user authenticates to your guest network. If you are a small business I would not recommend using this particular router because I believe it’s important to provide a measure of security and only allow users who you want to have access. At the same time, I personally use a VPN service whenever I use an open wireless network and would recommend it to all my guests.


Parental Controls

This is a consumer router and as such will be found in thousands of homes around the world where there are children accessing the Internet. Parental controls should not seem like an after-thought and in this case. There is almost as much documentation about parental controls on the box as there are in the manual. It’s really that bad, so here is a direct quote “With your router, you can use parental controls to do the following: Set the times that Internet access is allowed. Block websites that you specify, or based on their content.” The last part of their statement is blatantly false. You can block specific websites (up to a maximum of 10) WOW! But you cannot block based on their content unless you are using additional software or a DNS services. There are almost two pages on the subject of parental controls in the manual so it’s better than the manual for the EA6100 with only one sentence. So let’s look at what it means for users who do want to enable parental controls.

When it comes to blocking or denying access to websites through this router you would be better off if you either install Internet filter software on the computer you want to protect or begin using a DNS service such as OpenDNS or Norton Connect Safe for Home. All the feature amounts to is a manual “black list” which most kids these days can figure out how to get around by doing a search on Youtube. You literally have to enter each website URL you want to block so you can see how tedious this would be as your list grows. The manual actually tells you to cut and paste the URLs to save time. I believe a better approach would have been to allow parents to allow specific websites which amounts to a “white list” and block all others.

The scheduling is a useful feature because it allows you to define times and days of the week specific devices can access the Internet but it’s not a very significant feature. They could do so much more with only a little effort instead of adding a feature that is barely useful. If you take my advice and use a DNS service like OpenDNS then you have significantly more flexibility and can filter out things like pornography, other adult related content, drug related sites etc., define schedules for individual devices on your network and generate reports/statistics that can help you see what your users are doing on your network.


Media Prioritization & Speed Test

I cannot think of any relationship these features would have to security but it may be useful if you have multiple devices vying for bandwidth to when playing gaming or using a VoIP/Video Teleconferencing System. The optimization works for downstream bandwidth but if you read the manual it is a bit confusing because it reads “Prioritization settings are applied only to traffic that is uploaded to the Internet.” When you try and use the feature and modify the settings you are presented with the option of modifying only the downstream bandwidth. For most users I doubt you’ll need to modify the prioritization settings but if you do decide to play around with the media prioritization settings, then document the changes and experiment to see which changes give you the best performance.


External Storage

The WRT1900ACS also has a USB 2.0, USB 3.0 and eSATA port port you can use to attach external storage. From a security perspective having a network attached storage (NAS) device can be an excellent way of preserving important data from multiple users. I’ve got both a USB 2.0 external drive and a USB 3.0/eSATA external drive. I decided only to test the eSATA connection because it gives you the greatest transfer speeds. It has performed flawlessly and I have the external drive mounted as a network drive. There are several options that can be configured such as setting the external drive up as an FTP server (not sure why you would want to do this), a media access server and secure file shares. The secure file share option allows you to create accounts and to assign permissions for specific folders by username and password. When the secure folder option is not enabled anyone on the network can access files on the attached external storage. From a security perspective, it is a good idea to back up data but the only security feature of the external storage is basic folder permissions. I need to investigate options for using encryption but it doesn’t seem like it would be easy to setup if at all. If the external drive were directly connected to Windows 7, 8, or 10 systems with Bitlocker or a Mac OSX system you could setup encryption easily but because the drive is accessible via the router encryption doesn’t seem to be a simple feature to enable. At any rate, external storage is a nice feature but I would prefer to see security beefed up by adding built-in network encryption. As a word of caution, ransomware is on the rise and network file shares are often targeted by this type of malware so from a security perspective you should only attach your external network drives when you actually need to backup data or not rely on the external drive as a backup medium. This would definitely be a problem if you are using your router as a media server because you need your storage always connected which puts it at risk if you fall victim to ransomware.

The external storage drive I bought is a 2TB 64MB Cache GForce3 USB 3.0/eSATA Aluminum External Hard Drive (GF3B2000EUA).[ii] It is formatted by Fantom to use NTFS which is the Microsoft Windows file system and did not come what backup software. Fortunately, Comodo Online Backup Software is a free download and works flawlessly. I backed up both my computer and more than 145 GB of picture files in no time at all.[iii] Comodo Online Backup was a lot faster than I thought it would be taking only about 30 minutes to backup my computer (78GB) and a little over an hour to backup the picture files. I was pretty impressed with how well the router handled the Fantom drive and must say the eSATA transfer rates were awesome. This is a great feature for the WRT1900ACS and believe this was a great choice for the money.


Router Settings

Connectivity

Under the “Connectivity” section there are six tabs, (Basic, Internet Settings, Local Network, Advanced Routing, VLAN, Administration). We'll look at each feature in the sections that follow.


Basic

There are a lot of options under the “Basic” tab, some good, some not so good in my opinion. Let’s start off with the “Network Name and Password” feature. You’ll find both the 2.4 GHz and 5.0 GHz networks listed here. You can select edit to change both the SSID and the network passwords for each network. What I found disappointing is the network password is stored in the clear on the router, unlike the router password which is masked and found in the same tab. I’m not sure why the network passwords are stored in the clear but it seems more logical they would also be masked. In reality, though you can only access the network passwords when you are logged into the router as the administrator so no harm no foul. I just find it strange that the router password is masked while the network passwords are not. I would also like to see the system generate a random network password that is at least 16 characters long. This would help ensure home users and anyone who may use this router with a small business has a good Wi-Fi password for their network. You should be required to enter both enter the old password and the new password and confirm the new password for both the networks when you change them. I’m not sure what Linksys is doing with their firmware because the firmware for the EA6100 router I reviewed previously did require those steps to change the router password; although it did not require those steps for the networks. It’s almost like they are going backwards with their security. I’m still scratching my head over why they would set it up this way. If anyone has an idea as to why they would set the router up this way, please share. I would also like to have a way of changing the router’s default username from admin to something else but you cannot. You don’t even need a username when you log in locally (Ethernet) using the router’s IP address. You only need to enter the router’s password.

Also under the “Basic” tab you are able to setup automatic firmware updates or manual updates. When I first setup my EA6100 router I had to perform two firmware updates. It was pretty easy to do but I had to restart the router manually both times because it seemed to hang. It could be I was just impatient but after 15 minutes of waiting for the system to come back online, I thought it was the best option. In both cases that was all I needed to do and the router restarted with the latest firmware installed. If you feel like you need to be in control of when your router needs firmware updated then uncheck automatic updates and have the router check for updates when you are doing administration or you can go to the Linksys website and download the firmware to your desktop and install the update from there. At any rate, it is important to update your router’s firmware just like it’s important to have automatic OS and other software updates enabled to ensure you have the latest security patches installed. This is one of the best ways you can help ensure your own network and systems are as secure as possible. I did not need to update the firmware for the WRT1900ACS so my comments about the update process were from my experience with the EA6100.

There are two other minor features you can modify on the “Basic” tab, the “Time Zone” which does not have anything to do with security except perhaps for providing the correct time-stamp on your router’s logs when you have them enabled and enable/disable the activity lights on the router. Not even sure why they would provide this option but I opt for the default which is to display the activity lights.


Internet Settings

Under the “Internet Settings” tab you only have a few settings that can be modified. The first is the type of Internet connection found on the left side of the tab along with the version of IP (IPv4 or IPv6). The type of Internet connection can be set to Automatic Configuration – DHCP, Static IP, PPPoE, PPTP, L2TP, Bridge Mode, Wireless Repeater, & Wireless Bridge. On the right side of the tab you have a few optional features you can modify such as MTU which is the maximum transfer unit for your network. I recommend you just leave the default setting of “Auto” but if you choose to modify it you should know 1500 is the most optimum and highest MTU you can set for an Ethernet network. You can also clone your MAC address which is something you would rarely need to do but if you do check out the article on DD-WRT for an explanation of when you might want to clone your MAC.[iv]

The bottom line on the Internet Settings, the default settings should work fine for these options. None of these settings really affect your security. The possibilities with IPv6 may change in the future but I have a feeling this router will be ancient history before we need to worry about configuring IPv6 settings on a consumer router.


Local Network

Under the “Local Network” on the left side of the tab you can change/edit the name of your Ethernet network and can modify the IP address of your router/subnet mask. It would probably best if you leave this alone unless you know what you are doing. I cannot think of a reason you would need to modify your IP address or subnet mask unless you just want to experiment. There is enough address space with a home or small business network with the default network as it is out of the box….but play if you want too…it probably won’t hurt anything and you’ll learn something new in the process.
On the right side of the tab you can make some configuration changes that can be directly related to your security. You can enable your router to serve as a DHCP server for your internal network and then define the start IP address for your internal network. The configuration I recommend you modify is the “Maximum number of users”. In my case, I can have between 1 and 155 users by default. If you are concerned about security then I recommend you reduce this number to the actual number of devices you have on your network. If you only have 5 devices then don’t have 155 users available. You can also modify the lease time your router will let a device hold onto an IP address. You could modify this setting if you want to but I don’t think there is any advantage from a security standpoint in doing so.

The last settings you can modify on this tab is your DNS and WINS. I’m going to say with certainty most home users and small business users will never need to put anything in the WINS section, just leave it blank. But the DNS setting is definitely one you should consider changing that can have a positive effect on your security. I have used both Norton Connect Safe for Home and OpenDNS. These services will allow you to filter/block access to pornography websites and many other websites you may not want to access personally or allow other users on your network to access such as your children. You should check out both of these services for more information and to consider which may be best for your situation.[v],[vi]


Advanced Routing

There are three optional settings on the Advanced Routing tab and from a security perspective I recommend the best option for a home user is to leave the default option selected and that is “NAT”. The only reason you would need to use either of the other two options (Dynamic Routing RIP and Static Routing) is if you have multiple routers and have setup additional subnets on your network.


VLAN

There is very little documentation on the VLAN feature using the Linksys firmware. From the looks of it the VLAN feature on this router is designed for cases where ISPs have already defined VLANs for their configurations. There are several options available when you enable the VLAN feature that includes: Manual, M1 (Fibre), Maxis (Fibre special), Maxis (Fibre), SingTel (mio TV), SingTel (other), StarHub, Unifi (@ Business), & Unifi (@ Home). If you choose to setup OpenWRT there are options to enable VLANs on your internal network. This may also be available with DD-WRT which I’ll explore after I’ve completed this review of the Linksys firmware features.


Administration

The final tab under the menu option “Connectivity” has four separate options you can modify. These include Local Management Access, UPnP, and Application Layer Gateway. My recommendations for each of these is to select “https” under the Local Management Access option and not select the “Access via wireless”.

Under the UPnP which stands for universal plug and play I recommend you deselect the “enabled” option and only allow UPnP if you require it for a device on your network to get it configured. Chances are you will not need it enabled and there have been vulnerabilities identified with UPnP on other models of Linksys routers with older firmware. This particular model is not listed as vulnerable but like I said…why enable it if you do not need it. From a security perspective, this is a best practice because the idea is to limit the possible attack vectors a hacker might use to gain access to your network.

Under the Application Layer Gateway you have the option to enable SIP which is the Session Initiation Protocol used with some VoIP services. Like the UPnP option above I do not recommend you enable it unless you need it. If you are trying to use a feature on one of your devices that requires VoIP and it doesn’t work you can enable SIP and see if it clears it up. Otherwise, you’ll probably never need it.


Troubleshooting

There are three tabs available once you access the troubleshooting feature; Status, Diagnostics, & Logs. The geek in me really likes this particular feature because there are some nice things available for you to do which are executed from the router to try and identify network problems. You can also do these same steps from your desktop or router so the question I’ve got to ask though is whether or not an average user who does not have a background in computers would even attempt to troubleshoot an issue without someone helping them. Since I have not had a reason to contact customer support I don’t know if this is something Linksys would use to try and troubleshoot a router during a call or not. Anyway, let’s dig in and see what’s available.


Status

Under the status tab you have two different features that are very useful for creating some documentation for your network that I recommend in my book “Cybersecurity for Everyone Securing your home or small business network” along with a sample provided in Appendix three. You can download the sample network documentation from my website.[vii] The first feature is Devices which like it sounds generates a short table with the information your router detects for each device connected to your network and it does this for Ethernet and wireless connected devices. The table heading includes name, MAC address, IPv4 address, and connection (LAN for Ethernet or Wireless for Wi-Fi connected devices). The second feature is Report which is also very useful because it generates a report about your router and its current configuration. I’m pretty pleased with this particular report because it’s fairly comprehensive and I suspect is really more for someone who will help you troubleshoot than for the individual user but like I mentioned above it's very useful for documenting your network so you know what is actually on your network.

There are also several options on the right side of the tab related to both the devices and reports features. You can select refresh which like it sounds will refresh the list of devices or refresh the report. This is useful because you may have wireless devices coming on and off your network, if they are already configured/allowed on your network as they come into range and/or are turned on/off. You can also have both the device and reports output to a browser (easily cut/paste into a word processor or spreadsheet) or printer. The final option is to open the DHCP client table. This is useful because it contains all the devices you’ve had on your network whether they are online or not (Ethernet or Wireless). Have you had anyone on your network you didn’t give permission to? If they are not able to delete the DHCP client table on your router, then it should be a great indicator of recent network activity. Did someone steal your network credentials and is now leaching your Internet? I can think of a lot of reasons to use this feature from time to time.


Diagnostics

Under the diagnostics tab you have eight features which are: Ping IPv4, Trace route, Reboot, Router diagnostic information, Router configuration, Router Firmware, Internet Address, and Factory Reset. The first two are standard network commands you might use when troubleshooting. These are cool because they are executed from the router and not from your workstation or smart device (if using the Linksys Smart Wi-Fi App) using the Linux version of both these commands.
The Ping IPv4 feature allows you to specify a specific IP address or a hostname. It also works with URLs, so if you are having problems getting to a specific URL just type in the domain name or the full URL. The default will send 5 pings but you can also choose, 10, 15 and unlimited. I don’t recommend you start sending unlimited pings to a URL on the Internet or you may have other problems.

The Trace route tool works just like the Ping IPv4 feature in that you can use it with a specific IP address, hostname, or URL. No other options are listed and it will attempt the traceroute with 30 hops max.

The other options found on the diagnostics tab are also useful but for different reasons. You can reboot your router if you’re having problems, backup and restore your router configuration (good idea to do if you want to play around with your settings with reckless abandon just to see what will happen, restore older firmware, release and renew your router’s IP address as seen by the world and best of all do a factory reset with the click of one button. So if you didn’t backup your configuration at least you can reset your router to factory defaults and start over. The last feature I’ll mention is the router diagnostic information button. It’s not what you would think at first glance but is a way for you to voluntarily send details about your router to Linksys. I’m not sure I like this feature because it doesn’t tell you up front what information is actually shared with Linksys. So, my recommendation is to leave the sharing to others and keep your information to yourself. I found it interesting that when I clicked on the link to share with Linksys to see what would happen they provide a warning to the user “Some information about your network can present security concerns. Share only with people you trust.” I have no basis with which to trust Linksys/Belkin. You cannot cut/paste the rather large report that is generated but you can add an email address to send it to in addition to whoever it goes to at Linksys/Belkin. Just frustrated you cannot easily cut/paste the report into a word document so you can browse through it as well.


Logs

This is the final tab under the troubleshooting section and like the reports above is really important in helping you troubleshoot problems on your network at a glance. It is not a replacement for tools like Wireshark but may give you enough information to make you want to dig deeper. The logs are not enabled by default so if you want to take advantage of logs then you’ll need to enable them. The logs tab also allows you to refresh logs, open in a browser, print, and of course, clear your logs just as you can for the device and reports under the status tab mentioned earlier.


Wireless (view and change router settings)

There are four tabs under the wireless section as well: Wireless, MAC Filtering, and Wi-Fi Protected Setup & Wireless Scheduler. This is where you configure all your router’s wireless options and can really harden your wireless security.


Wireless

On the wireless tab you have both of your wireless networks (2.4 GHz & 5.0 GHz) represented and can modify the settings for both easily. The options are basically identical except for the selections under channel which allow you to select an individual channel (frequency) for your wireless to operate on and channel width which allows you to select the feature that provides you the best bandwidth/performance for your individual situation.
In most environments, you should have good performance by leaving channel and channel width set to auto. What you need to understand is your wireless environment can be affected by other devices operating on the same or near frequencies within range of your network. In fact, the 2.4 GHz frequency spectrum has a lot of competing devices with varying power output levels. So, if you live in an apartment complex, have other devices (cordless phones, microwaves, wireless security cameras, etc.) you may need to play around with the channels to ensure you get the best performance for your network and the only way you will know is to experiment. If you’ve got a friend who has a spectrum analyzer, then you might be able to narrow down the best option a lot quicker but how many people do you know with a spectrum analyzer laying around? I did find the user guide useful in explaining how to make optimum use of the various wireless settings.[viii]

Network Name
Getting back to the wireless tab’s other features that are really important. I always recommend you don’t use the default network name. In the case of my router, the default name was probably unique which you want because it was based on the router’s SN but it was still readily identifiable as a Linksys router. I always recommend you change the network name because the default gives an attacker a place to work from passively without needing to actively attack your router to identify possible vulnerabilities. If I know you are using a Linksys router then I’ll start my research as a hacker by looking for known vulnerabilities for Linksys routers…so why make the hackers job easier when you can change the name. You can also have fun with your neighbors by coming up with a unique name that others will not readily identify as being your network but will see as an available network when they are looking. In other words, don’t use your name, your kid's name, your favorite sports team etc…I used FBISurvellianceVan for fun. So if you are cruising/war driving around Louisiana and run across a wireless network named FBISurvellianceVan it might be me…but then again.

Password
I would like to say we’ve beat this dead horse and it’s not going to get better but the reality is many people are just plain lazy. Get out of your lazy mode when it comes to these passwords (2.4 GHz & 5.0 GHz networks). Anyone with these passwords has access to your network and if you have file shares on your network or through your router then they do as well. I recommend you use a complex, random password of at least 12 characters because you usually don’t have to enter it but once for each device and then save that password in your network documentation on an encrypted drive or in a password protected file. My password is significantly longer than 12 so whatever floats your boat.

Security Mode
This feature under the wireless tab is very important and for most home and small business users the only good option is WPA2 Personal. The other options are none, WEP (may as well be none), WPA2 Enterprise, WPA2/WPA Mixed Personal, and WPA2/WPA Mixed Enterprise. It’s great they gave us so many options but like I said…the only good option for most users is WPA2 Personal.

Other features
The other features are probably better left with the default settings. These include: broadcast SSID (yes/no), Network mode (802.11b/g/n etc.), and of course the channel/channel width mentioned above. The default network mode is mixed which will ensure your devices can connect even if they are using different 802.11 modes). I once told people not to broadcast their SSID which is what helps identify your wireless network but it’s so easy that even a novice can find your SSID by monitoring wireless network traffic with easily available tools. Just leave it set to on and have fun with your neighbors by using unique and creative names for your networks.


MAC Filtering

This is an excellent feature that can have a positive impact on improving your security. It is not enabled by default and it requires you to add MAC addresses to a list also know as an Access Control List (ACL). This router gives you two different ways to use MAC filtering and it really depends on what you are trying to achieve. If you want to have an allow list then only the MAC addresses you input into the database will be allowed to have access to the Internet. If you want to have a deny list then it will deny all MAC addresses you input into the database from having access to the Internet. All others will have access to the network by default because they are not listed in the deny database. Remember the features we covered above under troubleshooting? This is a quick and easy way to cut/paste MAC addresses into your database and either give them access or deny them access.


Wi-Fi Protected Setup (WPS)

I don’t even want to write about WPS. The default setting for WPS is disabled. There is a good reason it being disabled and that is because it is vulnerable, vulnerable, vulnerable (did I say it was vulnerable?), was implemented poorly for most routers that support it and you don’t need it. If you don’t believe me then maybe, you’ll believe others. Just do a Google search on WPS vulnerabilities and you’ll be rewarded with more than 664,000 results. Check out this article from Sophos Naked Security.[ix]


Wireless Scheduler

This is basically the same feature you have under parental controls but it’s designed specifically for enabling and/or disabling wireless access.


Security

There are three tabs with different features under the security configuration feature but don’t get your hopes up. I thought I was going to be happily surprised with this particular feature only to be let down. There is a firewall built in which is great but you cannot really modify many settings so I’d recommend you leave the default settings enabled.


Firewall

On the firewall tab you’ll find an option to enable both IPv4 and IPv6 SPI firewall protection. SPI is a stateful packet inspection or dynamic packet filtering firewall. You can also enable or disable VPN Passthrough settings for IPSec Passthrough, PPTP Passthrough, & L2TP Passthrough. You’ll only need to modify these settings if you are using a VPN to access your home network. There are also features to enable some specific Internet Filters that include: Filter anonymous Internet requests, Filter multicast, Filter Internet NAT redirection, and Filter ident (Port 113). Last but not least (Ok…it may actually be least) you can add some IPv6 Port Services for your IPv6 SPI firewall settings. Modifying IPv6 firewall settings may be beneficial when/if IPv6 is ever fully implemented and we do not need to have IPv4 enabled for backward compatibility, so until then I’m not sure it’s useful for the average user and that includes me.


DMZ

The idea behind a demilitarized zone or DMZ is to have devices that are external to your protected network that can also be accessible from the Internet. They do not benefit from the router’s firewall so you need to take steps to protect them through a host-based firewall or other means (user name/password). I have never needed to setup a DMZ but you may have a reason to do so and can still protect devices in your DMZ by following recommended steps to harden the device. These devices could be anything from a security video camera you want to be able to monitor when you are away from home to check on things or a DVR you’ve installed on your network so you can watch videos you’ve recorded while you are away from home. You may also want to have a DMZ if you run your own web server or exchange server and need users to be able to access these resources from the Internet.
It is fairly easy to setup using the instructions provided in the user manual and if you want a better explanation along with tutorials on how to setup a DMZ for almost any consumer router you should check out the resources on http://setuprouter.com.[x]


Apps and Gaming

There are four different options you can configure under this tab that includes: Dynamic DNS (DDNS), Single Port Forwarding, Port Range Forwarding, and Port Range Triggering. The first option is very useful if you want to setup IP based cameras, a web server you operate from home, or even a mail server. If you want to learn more about DDNS then check out the information from Dyn on the Internet.[xi] The other three options are all similar in both purpose and configuration with a few differences. Single port forwarding is for cases similar to those mentioned above yet you only need to specify a single port. In the case of port range forwarding you are specifying a range, and in port range triggering you are specifying a range of ports that are not always open as you have with single port forwarding and port range forwarding. In port range triggering your designated ports are only opened when the router detects an outgoing packet on the specified ports instead of always being open as you have with port forwarding. See this article for a more detailed explanation.[xii]


OpenVPN Server

There was absolutely nothing in the user guide for the OpenVPN Server option on the WRT1900ACS router. There was a help link on the OpenVPN Server tab that gave a very basic overview of the OpenVPN Server options. It was pretty straight forward to setup and connecting to it using my Android phone was very easy. The only problem I had was after I was connected I couldn’t really do anything because my Android phone is pretty basic. I believe my Android’s Chrome browser is filtered through the OpenVPN Server but I’m still experimenting. I could not access any files on my network so this particular feature deserves more research. At this point all I can say is it was easy to setup on the router and the OpenVPN client software for my Android phone was also easy to install and setup. All I needed to do was export the OpenVPN configuration file from the router and then import the configuration.


Cybersecurity Evangelist’s closing thoughts

The good, the bad, the ugly…For the average home user or your student going off to college, this is a good router for the money that should provide you a few years of good reliable service. It’s easy to setup and has reasonable security out of the box with decent performance but I was not impressed by their documentation. I found their documentation lacking in details, especially when it comes to configuring some of the more important features that affect your security where you really find no explanation about the feature other than how to set it up. Lastly, for the ugly…Having the ability to attach an external storage device is useful but I found it did not work as good as it should. My computer lost connectivity with the drive each time I rebooted and USB 2.0 was just a bit slow. Ok…that really wasn’t too ugly and in truth, it’s not a bad router. It’s just not as robust as I would have hoped since Linksys was previously owned by Cisco. I don’t know if the sale to Belkin has anything to do with the quality of Linksys routers one way or the other but knowing they were once a subsidiary of Cisco I was hopeful it would be awesome…in the final analysis, it’s a good basic router. I would not recommend it for a small business.


Best Router Security practices

  • Change the router’s default password and make sure it’s a good complex password. Change the default admin ID if you can…unfortunately with the EA6100 you cannot.
  • Ensure you update the router’s firmware.
  • Change the default network name for all three access modes (Ethernet, Wi-Fi 2.5 GHz, Wi-Fi 5.0 GHz) and have fun with your neighbors.
  • Setup WPA2 Personal and make sure you use a password that is complex.
  • Disable any Guest access network when it’s not needed.
  • Use parental controls if you want to establish hours of available Internet access for specific users
  • Setup and start using a DNS service like OpenDNS, Norton Connect Safe for Home, or Comodo Secure DNS to filter out pornography and other unwanted content.
  • Enable logs so you will have access to reports that will help you troubleshoot problems.
  • Set the maximum number of available IP address to the number of devices on your network
  • Enable MAC filtering to help ensure only those devices you specifically authorize can access your network or so you can deny the neighbor’s kid or the neighbor for that matter using your network without your permission. I know some of my friends from the world of cyber security will say MACs can be spoofed…and so they can. But why make it easier when you can make it more challenging for someone to try and break in?
  • Unless you administer your router using a Wi-Fi connection disable “Access via Wireless” under “Local Management Access”.
  • Disable Universal Plug and Play (UPnP)
  • Ensure Wi-Fi Protected Access (WPA) is disabled
  • Ensure your Firewall is enabled
  • Disable VPN Passthrough unless you are in fact using a VPN to access your home network.
  • Learn more about the differences between DMZ, DDNS, Single Port Forwarding, Port Range Forwarding, and Port Range Triggering before you settle on one method over the other. Read your documentation for the service or device you are setting up to use one of these features and see if there are any security best practices…then take the most prudent steps to be as secure as possible when using any of these.
  • Best Router Performance practices
  • Leave MTU set to auto.
  • Leave following settings under Wireless set to auto: Network mode, Channel, Channel width.

I am always interested in hearing from others. If you've found this review useful or you've got some comments that can help me make it better please feel free to contact me here on LinkedIn. I'm also active on Twitter @CysecEvangelist and you can contact me through my website @ www.cybersecurityforeveryone.com

Translate